Security and Technology

Blocking countries via iptables

Blocking countries via iptables

With all of the scanning / noise on the Internet, it’s nice to get rid of a large chunk of it simply by blocking an entire country’s worth of IP space. To do that you can simply use a kernel module for iptables called “xtables-addons”. On Debian/Ubuntu it’s pretty easy to get going, just apt-get install the needed perl library and the addons themselves:

apt-get install libtext-csv-xs-perl xtables-addons-common

!Warning: This does require proper linux headers to be available to compile the kernel module. In the case of where these aren’t availabe (like Linode’s special kernel), you will need to find another way to get the correct headers installed.

Then download the Maxmind geo database, the location of the xt_geoip_dl tool that does this is dependent on the installed version of xtables-addons. For my testing I have found it in /usr/src/xtables-addons-2.6/geoip/ as well as /usr/lib/xtables-addons/ YMMV.

When looking up how to do this many people recommended updating the GeoIP database once a month. To do this I made a really simple bash script that just repeats all the things I did and added it to a monthly cron job: